Just curious, it is possible to launch an impersonate attack by using JSESSIONID if the JSESSIONID cookies is exposed in HTTP communication channel despite the Auth Cookie is already enabled?
Is the weblogic allow on this?
Thank you!
Asked
Active
Viewed 244 times
1 Answers
0
Auth Cookie is enabled causes the WebLogic Server to send a new secure cookie, _WL_AUTHCOOKIE_JSESSIONID, to the browser when authenticating via an HTTPS connection.
If you have just HTTP you will have only the JSESSIONID which is not a secure cookie
worth checking Can someone who merely knows my current JSESSIONID impersonate / hijack my session (Tomcat 7/Glassfish 3.2))?
So the answer is yes.
